Data subjects have the right to have their stored data corrected without delay if a controller processes it incorrectly or incompletely. This is how you check the claims of data subjects and ensure a UK GDPR-compliant rectification.
What is the right of rectification?
The right to rectification according to Art. 16 of the United Kingdom General Data Protection Regulation (UK GDPR) is one of the so-called data subject rights. With this right, a data subject can demand the immediate rectification of inaccurate or incomplete data processed about them. This right is always directed against one or more controllers of personal data.
The right to rectification is linked to the principle of accuracy from Article 5 (1) (d) of the UK GDPR, according to which personal data must be factually correct and, where necessary, up to date.
What is the content of the right of rectification?
Stored data is not always accurate. A right to rectification first requires that a controller processes personal data that is inaccurate or incomplete. The processing mainly involves the storage of personal data. The UK GDPR mentions two cases for this:
Correction of inaccurate personal data
One speaks of “incorrect” data if its content is untrue, i.e. it does not correspond to reality (Art. 16 sentence 1 UK GDPR). This is the case, for example, if a person’s surname has changed. The claim therefore basically refers to statements of fact and not to opinions or value judgements.
It is therefore irrelevant whether the data were already incorrect at the time of storage or have become incorrect due to a subsequent change of circumstances.
If the data subject exercises his or her right, the data controller must correct the data without delay. This means that the substantively untrue date must be replaced by the substantively true date. However, “without delay” does not necessarily mean “immediately”. Rather, the time period must be determined for each individual case. As a rule of thumb, action within two weeks is appropriate. Admittedly, shorter or longer periods of time may apply if the facts of the case are particular.
When correcting personal data, you should of course observe the accountability requirements of the UK GDPR. This means that it must also be traceable at a later date who changed the data and why.
Correction of incomplete personal data
If the controller has stored “incomplete” personal data which are so incomplete that the purpose of the processing can no longer be achieved, the controller must also rectify them (Art. 16 sentence 2 UK GDPR). For this purpose, the data record of the data subject must be supplemented accordingly.
An example: When checking creditworthiness, the information about a refusal to pay is incomplete if it is not apparent that the reason for this is an incorrect delivery of goods.
In the case of completion, the UK GDPR does not speak of “without delay”, but in order to comply with the principles of fairness and transparency, a prompt completion is to be assumed here as well. Therefore, we also recommend a correction within two weeks in such cases.
If the actual data set is complete, the data subject may require the controller to prove the completion by a corresponding supplementary declaration.
Form of the rectification claim
Before exercising the right to rectification, the data subject should make a claim for information under Art. 15 UK GDPR from which their knowledge of their data and the purposes of processing derives. The claim can also be considered for information about individuals that has been made publicly available.
If the data subject wishes to exercise their right to rectification, they must submit a related request to the controller. The form of the request is not specified by law. However, the controller must offer the data subject the possibility to submit requests electronically (Recital 59 of the UK GDPR). This applies in particular if the controller also processes the personal data electronically.
Verification of identity
If the data subject has not proven their identity in an appropriate manner, the controller must inform them of this and request additional information to confirm the identity. If this information is not sufficient for the data controller to dispel reasonable doubts, the data controller may refuse to correct the data under the conditions of Art. 12 (2) UK GDPR. In order to do so, the controller must credibly demonstrate that it is unable to identify the data subject.
If the data subject has been able to prove their identity, the actual task begins for the data controller. He must first check whether the data are actually incomplete or incorrect. However, to ensure that no further – untrue or incomplete – processing of the data takes place during this time, the data subject has a right to restriction of processing according to Art. 18 (1) (a) of the UK GDPR for the period during which the controller is reviewing the request.
Consequence of a rejection of the correction
The controller must give reasons for a refusal to rectify the data. For this purpose, they must inform the data subject of the reasons for the refusal without delay, but at the latest within one month after receipt of the request. At the same time, they must inform the data subject of the possibility of lodging a complaint with the Information Commissioner´s Office or seeking judicial remedy (Art. 12 (4) UK GDPR).
Exceptions to the right of rectification
No rule is without exceptions. Art. 23 UK GDPR allows the UK legislators to limit the transparency obligations from Art. 16 UK GDPR. These exceptions are listed exhaustively in Art. 23 (1) UK GDPR. They include cases of national security or public safety, national defence or the prevention and prosecution of criminal offences. In these cases, access to information and the use of information should be guaranteed without restriction, to the extent that this is permissible under UK law.
Conclusion: Corrections must be carried out quickly, in a controlled and documented manner.
Data controllers should respond to a request for rectification of personal data in a timely manner. Sufficient identification of the data subject and documentation of the rectification is essential.
Data controllers must in terms of Art. 19 UK GDPR communicate any rectification of personal data to recipient to whom the personal data has been disclosed, unless this is impossible or involves a disproportionate effort. Such recipients must also be communicated to the data subject if the data subject asks. If the data subject has exercised their righ to information they must have been informed about the recipients in any case.
As you can see from our various guides on data subject’s rights and the ICO´s guidance on dealing with data subject requests for rectification, it is worth standardising these process for answering data subject requests.